As the world continues to deal with the economic and operational challenges from the global COVID-19 pandemic, cyber criminals are seeking to exploit new work practices and capitalise on uncertainty. Organisations should be conscious of the general data, privacy and business risks associated with COVID-19.

In response to multiple requests from clients for guidance, the Australian cyber team have prepared a two part series of updates which provide a comprehensive roadmap of responses to frequently asked questions about how organisations should respond to COVID-19 from a privacy and cyber perspective.

  • Part 1: Key privacy considerations (below)
  • Part 2: Key working-from-home business and cyber risks (click here)

If you have any questions or issues that you would like us to address in further updates, please get in touch with one of the team. In particular, future updates will be focussed on "the road to recovery" with a focus on assisting organisations endure these challenging times.

Part 1 of 2: Privacy considerations in a pandemic

Q: What privacy considerations should an organisation consider in relation to outbreak of COVID-19?

Australian organisations are facing many new challenges in the fight to prevent the spread of COVID-19. While there are unprecedented risks to navigate, organisations should still remember their privacy obligations underpinning how they handle personal information.

What are the key considerations?

Many organisations will be aware of their obligations under the Privacy Act 1988 (Cth) (Privacy Act) and other State and Territory privacy laws that may apply. Generally speaking, these laws govern the handling of personal information including its collection, use, disclosure and destruction.

In responding to COVID-19, the key privacy considerations will relate to:

  • effectively managing the response to an employee reporting that they have tested positive to Coronavirus, without breaching that employee's privacy, and while maintaining a safe workplace; and
  • ensuring that personal information collected in the ordinary course of business (i.e. customer and employee data) remains secure in an increased risk environment while employees work remotely.

The Office of the Australian Information Commissioner (OAIC) has prepared some helpful guidance on how to manage privacy risk while responding to COVID-19 (see here).

How can an organisation manage privacy risk?

As a general comment, to minimise privacy risk to employees' and individuals' data while managing the pandemic response and working remotely, consistent with privacy best practice, organisations should:

  • limit the collection, use and disclosure of personal information to only what is necessary (i.e. on a 'need-to-know' basis and only the minimum amount of information necessary). This particularly applies when communicating with employees about a staff member who has tested positive to COVID-19;
  • notify employees of how the organisation will handle their personal / health information in responding to any potential or actual case of COVID-19 in the workplace; and
  • ensure that measures are taken to secure personal information in an increased risk environment. This includes increasing staff awareness of cyber/data risk, developing robust procedures around sharing personal information and conducting financial transactions, and enforcing increased security controls on systems to prevent data breaches from occurring.

The above steps are especially important given the increased pressure to respond quickly to prevent the spread of Coronavirus, and increased risks that come with working remotely as a result of limited face to face interaction between staff and clients, and use of new and unfamiliar technologies to do business.

Q: An employee confirms they have tested positive for COVID-19. What should an organisation do with this information? Should this information be disclosed to anyone? And if so, who?

If an employee tests positive to COVID-19, the employer and employee must follow the latest Government-issued guidance, including any exclusion/self-isolation requirements, to limit the spread.

This includes contact tracing to identify who might have passed on the illness to any 'confirmed case', and to understand who the 'confirmed case' was in contact with while infectious. QLD Health has provided a resource ( here) for how this is to be approached.

For more information, visit the Australian Government's Department of Health website (here), or call the National Coronavirus Health Information Line on 1800 020 080 for general advice or healthdirect on 1800 022 222 if a person has symptoms. Each State and Territory Government health agency has their own website for localised information.

Safe Work Australia has recently provided a 7 step guide about how to respond to a suspected or confirmed case of COVID-19 depending on whether the individual was diagnosed while at work or elsewhere (see here). Employers should review this guide for how to respond.

What are your organisation's privacy obligations?

There are strict privacy obligations that apply when handling employee data especially sensitive information such as health information. Although these requirements are balanced against the need to provide a safe workplace, care should be taken to protect the affected employee's privacy while notifying others of the risk of transmission.

Importantly, the Privacy Act is not intended to prevent critical information sharing and with some simple steps organisations can remain compliant with their privacy obligations whilst effectively managing the response.

Q: How should any notification to employees be enacted?

When notifying employees, an organisation should only disclose information that is reasonably necessary in order to prevent or manage the spread of COVID-19 in the workplace. This may or may not include the name of the affected employee, depending on the circumstances.

When notifying employees or other persons who may have had contact with an affected employee, an organisation should:

  • Take steps to obtain the consent of the affected employee before disclosing to others that they are positive for COVID-19. There are exceptions to the requirement to obtain consent, where it is unreasonable or impracticable for you to do so. Seek advice if this applies to you as this scenario needs to be carefully managed.
  • Only reveal the name of the affected employee if necessary, and consider whether naming the individual can be restricted to a limited number of people on a need-to-know basis.
  • Only collect, use or disclose the minimum amount of the affected individual's personal information that is required to prevent the risk of COVID-19.
  • Follow the Government-issued guidance on whether it is safe for employees to return to work including the affected employee, and communicate appropriately to all employees having regard to the above considerations.

Here are some examples of how to appropriately manage the disclosure of a positively tested employee.

Example 1

  • An employee tests positive for COVID-19, having recently returned from overseas. The staff member did not return to the office or come into contact with anyone from work prior to showing symptoms.
  • The employee and HR team develop a strategy in consultation with advice from health authorities. Consent from the individual is obtained to notify staff, and name the individual and their whereabouts prior to developing symptoms.
  • The employer decides not to name the employee as it is not necessary to do so, however notifies all staff on a precautionary basis that a staff member has tested positive for COVID-19.
  • To manage the employees' concerns, the employer informs all employees that the staff member has not come into contact with the office or any other employees in the 24 hours prior to the staff member showing symptoms, thereby lowering the risk of transmission.
  • Nevertheless, the employer reminds all employees to continue to follow best practice Government advice to slow the spread of Coronavirus through social distancing, and encourages all employees to work from home where possible.
  • All employees are instructed to continue to monitor their health conditions and contact the HR team or the COVID-19 hotline if they are concerned.

Example 2

  • An employee tests positive for COVID-19 while at work. The employee hasn't travelled recently. It is unknown where the employee contracted the virus.
  • The employee and HR team develop a strategy in consultation with advice from health authorities. Consent from the individual is obtained to notify staff, and name the individual and their whereabouts prior to developing symptoms.
  • HR directly contacts all employees who worked on the same floor as the affected employee, and any other employees who may have come into contact with common areas accessed by the staff member, in the 24 hours leading up to the employee showing symptoms.
  • HR informs those employees who the affected employee is, when the employee was last in the office and whereabouts, when the employee first noticed symptoms, and when the employee was diagnosed. All at risk employees are immediately sent home to self-isolate and monitor their health conditions.
  • The employer also sends a generic email to the entire office alerting all employees that an employee has tested positive (without naming the individual) and directs all employees to self-isolate as a precaution and monitor health conditions.
  • The employer deep cleans the office thoroughly in consultation with best practice guidance from health authorities including ensuring that PPE equipment is used. The employer consults with health authorities before informing all employees that it is safe to return to work.
  • In all communications relating to the event, utmost care is taken to communicate with all employees in a meaningful way so that each employee can manage their health risk exposure, while limiting the number of staff members who are told about the affected staff member's name and other relevant details to only those on a need-to-know basis.

The above scenarios are intended to be practical guidance only. Appropriate advice should be obtained on a case by case basis, and in consultation with Government agencies and health authorities.

How can we help?

Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.